DevOps improve code quality, but security must happen sooner

The annual GitLab survey of over 3,650 software professionals has reported that more than one-third (35%) are new to DevOps. Just under one-fifth of the software developers surveyed said they have been using DevOps for a year or less, and a further 20% said they have been practising it for over five years.

According to GitLab, about 27% are in the so-called DevOps “sweet spot” of three to five years, which it said means they are comfortable and successful with the practice.

Most developers said they use DevOps to improve code quality, followed by improved time to market, less manual testing, better collaboration and because it makes them happier. Nearly 60% said their organisations deploy it multiple times a day, once a day, or once every few days, which, said GitLab, reflects the large number of responses from smaller companies. Just 11% said they deploy once a month and only 8% said every few months.

Nearly 38% of the software developers who took part said their DevOps implementations include CI/CD, while 29% said test automation, 16% said DevSecOps, and nearly 9% use multicloud.

Almost 40% of the developers said they “partially” use microservices, while 26% fully use them and 31% do not use them at all. Some developers said they are planning to, or are, investigating microservices.

Commenting on the survey findings, Sid Sijbrandij, CEO and co-founder at GitLab, said: “There is still significant work to be done, particularly in the areas of testing and security. We look forward to seeing improvements in collaboration and testing across teams as they adjust to utilising new technologies and job roles become more fluid.”

As far as writing secure code is concerned, 65% of security professionals said their organisations push security back (“shift left”) to earlier in the development process. When asked how far back security should be tested, only 24% said their companies have static application security testing (SAST) scanners in a web IDE. Less than 19% put SAST scan results into a pipeline report that a developer can access.

GitLab’s survey found that less that 14% of companies give developers access to dynamic application security testing (DAST) – and less than 14% of companies give developers reports. “If you want to enable developers to find and fix vulnerabilities, you have to give them the scan results in their pipelines or native workflows,” said GitLab.

The survey also showed that 56% of developers do not run container scans, and about half run compliance scans. However, 57% said they do conduct dependency scans.

“Although there is an industry-wide push to shift left, our research shows that greater clarity is needed on how teams’ daily responsibilities are changing, because it impacts the entire organisation’s security proficiency,” said Johnathan Hunt, vice-president of security at GitLab.

“Security teams need to implement concrete processes for the adoption of new tools and deployments in order to increase development efficiency and security capabilities.”